Chapter 20 IPSec VPN

Table 91 VPN > IPSec VPN > VPN Connection > Edit (continued)

LABEL

DESCRIPTION

Active Protocol

Select which protocol you want to use in the IPSec SA. Choices are:

 

AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay

 

resistance), and non-repudiation but not encryption. If you select AH, you must

 

select an Authentication algorithm.

 

ESP (RFC 2406) - provides encryption and the same services offered by AH,

 

but its authentication is weaker. If you select ESP, you must select an

 

Encryption algorithm and Authentication algorithm.

 

Both AH and ESP increase processing requirements and latency (delay).

 

 

Encapsulation

Select which type of encapsulation the IPSec SA uses. Choices are

 

Tunnel - this mode encrypts the IP header information and the data

 

Transport - this mode only encrypts the data

 

 

Proposal

 

 

 

#

This field is a sequential value, and it is not associated with a specific proposal.

 

The sequence of proposals should not affect performance significantly.

 

 

Encryption

This field is applicable when the Active Protocol is ESP. Select which key size

 

and encryption algorithm to use in the IPSec SA. Choices are:

 

NULL - no encryption key or algorithm

 

DES - a 56-bit key with the DES encryption algorithm

 

3DES - a 168-bit key with the DES encryption algorithm

 

AES128 - a 128-bit key with the AES encryption algorithm

 

AES192 - a 192-bit key with the AES encryption algorithm

 

AES256 - a 256-bit key with the AES encryption algorithm

 

The ZyWALL and the remote IPSec router must use the same key. Longer keys

 

require more processing power, resulting in increased latency and decreased

 

throughput.

 

 

Authentication

Select which hash algorithm to use to authenticate packet data in the IPSec SA.

 

Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5,

 

but it is also slower.

 

 

Add icon

This column contains icons to add and remove proposals.

 

To add a proposal, click the Add icon at the top of the column.

 

To remove a proposal, click the Remove icon next to the proposal. The

 

ZyWALL confirms that you want to delete it before doing so.

 

 

SA Life Time

Type the maximum number of seconds the IPSec SA can last. Shorter life times

(Seconds)

provide better security. The ZyWALL automatically negotiates a new IPSec SA

 

before the current one expires, if there are users who are accessing remote

 

resources.

 

 

Perfect Forward

Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if

Secrecy (PFS)

you do, which Diffie-Hellman key group to use for encryption. Choices are:

 

none - disable PFS

 

DH1 - enable PFS and use a 768-bit random number

 

DH2 - enable PFS and use a 1024-bit random number

 

DH5 - enable PFS and use a 1536-bit random number

 

PFS changes the root key that is used to generate encryption keys for each

 

IPSec SA. It is more secure but takes more time.

 

 

Policy

 

 

 

300

 

ZyWALL USG 300 User’s Guide